RephiWeb.Auth.Guardian (Rephi v0.1.0)
View SourceGuardian implementation for JWT token management with authorization support.
This module extends the basic Guardian functionality to include user roles and permissions in JWT tokens, enabling client-side authorization checks and reducing server round-trips for permission verification.
Token Claims
In addition to standard JWT claims, tokens include:
roles
- Array of role slugs the user has assignedpermissions
- Array of all permission slugs the user has (direct + via roles)
Example Token Claims
{
"sub": "123",
"exp": 1640995200,
"roles": ["manager", "user"],
"permissions": ["users:view", "users:create", "roles:view"]
}
Usage
# Generate token with enhanced claims
{:ok, token, claims} = Guardian.encode_and_sign(user)
# Extract user from token
{:ok, user} = Guardian.resource_from_token(token)
Summary
Functions
Callback implementation for Guardian.after_encode_and_sign/4
.
Callback implementation for Guardian.after_sign_in/5
.
Callback implementation for Guardian.before_sign_out/3
.
Builds additional claims to include roles and permissions in the JWT token.
Fetches the configuration for this module.
Returns a resolved value of the configuration found at a key.
Decodes and verifies a token using the configuration on the implementation module.
The default type of token for this module.
Encodes the claims.
Exchanges a token of one type for another.
Callback implementation for Guardian.on_exchange/3
.
Callback implementation for Guardian.on_refresh/3
.
Callback implementation for Guardian.on_revoke/3
.
Callback implementation for Guardian.on_verify/3
.
Provides the content of the token but without verification of either the claims or the signature.
Refresh a token.
Callback implementation for Guardian.resource_from_claims/1
.
Fetch the resource and claims directly from a token.
Revoke a token.
If Guardian.Plug.SlidingCookie is used, this callback will be invoked to return the new claims, or an error (which will mean the cookie will not be refreshed).
Callback implementation for Guardian.subject_for_token/2
.
Callback implementation for Guardian.verify_claims/2
.
Functions
Callback implementation for Guardian.after_encode_and_sign/4
.
Callback implementation for Guardian.after_sign_in/5
.
Callback implementation for Guardian.before_sign_out/3
.
Builds additional claims to include roles and permissions in the JWT token.
This function is automatically called by Guardian when generating tokens. It enriches the standard JWT claims with the user's current roles and permissions, enabling client-side authorization checks.
Parameters
claims
- The base JWT claims mapresource
- The user struct to generate claims for_opts
- Additional options (unused)
Returns
{:ok, enhanced_claims}
- Claims map with roles and permissions added
Example
# Before: %{"sub" => "123", "exp" => 1640995200}
# After: %{
# "sub" => "123",
# "exp" => 1640995200,
# "roles" => ["admin"],
# "permissions" => ["users:view", "users:create", "roles:manage"]
# }
@spec config() :: Keyword.t()
Fetches the configuration for this module.
Returns a resolved value of the configuration found at a key.
@spec decode_and_verify( Guardian.Token.token(), Guardian.Token.claims(), Guardian.options() ) :: {:ok, Guardian.Token.claims()} | {:error, any()}
Decodes and verifies a token using the configuration on the implementation module.
@spec default_token_type() :: String.t()
The default type of token for this module.
@spec encode_and_sign(any(), Guardian.Token.claims(), Guardian.options()) :: {:ok, Guardian.Token.token(), Guardian.Token.claims()} | {:error, any()}
Encodes the claims.
See Guardian.encode_and_sign/4
for more information.
@spec exchange( token :: Guardian.Token.token(), from_type :: String.t() | [String.t(), ...], to_type :: String.t(), options :: Guardian.options() ) :: {:ok, {Guardian.Token.token(), Guardian.Token.claims()}, {Guardian.Token.token(), Guardian.Token.claims()}} | {:error, any()}
Exchanges a token of one type for another.
See Guardian.exchange
for more information.
Callback implementation for Guardian.on_exchange/3
.
Callback implementation for Guardian.on_refresh/3
.
Callback implementation for Guardian.on_revoke/3
.
Callback implementation for Guardian.on_verify/3
.
Provides the content of the token but without verification of either the claims or the signature.
Claims will be present at the :claims
key.
See Guardian.peek/2
for more information.
@spec refresh(Guardian.Token.token(), Guardian.options()) :: {:ok, {Guardian.Token.token(), Guardian.Token.claims()}, {Guardian.Token.token(), Guardian.Token.claims()}} | {:error, any()}
Refresh a token.
See Guardian.refresh
for more information.
Callback implementation for Guardian.resource_from_claims/1
.
@spec resource_from_token( token :: Guardian.Token.token(), claims_to_check :: Guardian.Token.claims() | nil, opts :: Guardian.options() ) :: {:ok, Guardian.Token.resource(), Guardian.Token.claims()} | {:error, any()}
Fetch the resource and claims directly from a token.
See Guardian.resource_from_token
for more information.
@spec revoke(Guardian.Token.token(), Guardian.options()) :: {:ok, Guardian.Token.claims()} | {:error, any()}
Revoke a token.
See Guardian.revoke
for more information.
@spec sliding_cookie( current_claims :: Guardian.Token.claims(), current_resource :: Guardian.Token.resource(), options :: Guardian.options() ) :: {:ok, new_claims :: Guardian.Token.claims()} | {:error, any()}
If Guardian.Plug.SlidingCookie is used, this callback will be invoked to return the new claims, or an error (which will mean the cookie will not be refreshed).
Callback implementation for Guardian.subject_for_token/2
.
Callback implementation for Guardian.verify_claims/2
.